Computer Worm Attacks Not Updated WordPress Blogs

Martin Brinkmann
Sep 6, 2009
Updated • Dec 9, 2014
Security
|
25

A computer worm is currently in the wild that is attacking unpatched WordPress blogs. Unpatched meaning blogs that have not been updated by their administrators to the latest version of the popular blogging software.

The worm exploits a known security vulnerability in older versions of WordPress to create a user account, make some changes to the WordPress installation and to the permalink structure of the blog. Since it makes public changes to the site, it is easy enough to find out if a site has been successfully attacked by the worm.

All that needs to be done is to look at the urls of the blog. If there is more than there should be the blog has been most likely fallen pray to the worm.

According to Mashable there are two clues that your blog has been successfully attacked by the computer worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Webmasters are asked to update their blogs to the latest version of WordPress immediately. Those that have been hit by the computer worm should backup all files, export their settings, and do a clean install of WordPress. More help is offered on the WordPress website which explains what needs to be done in case the blog has been hacked.

Rant:

It's Sunday and it is time for a little rant. Webmasters who do not update their blogs as soon as a new version of their blogging software is released are acting stupid. A WordPress update usually takes less than ten minutes and ensures that the blog and server is protected from attacks like these.

Webmasters who do not have the time to perform these updates should consider switching to a hosted blogging platform like that at Blogger or WordPress.com. The automatic update option that has been introduced in recent WordPress versions makes it even easier to update the blog as soon as a new version is released. Webmasters who cannot do this should not operate a self hosted blog, period.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Diamonds For Sale said on September 1, 2011 at 7:09 am
    Reply

    Thank you so much for providing individuals with an exceptionally wonderful possiblity to read from this blog. It is usually so kind and also full of a good time for me personally and my office friends to visit the blog on the least three times every week to see the latest issues you have. And indeed, I’m certainly satisfied with all the remarkable things you serve. Certain 2 facts on this page are unequivocally the best we have all had.

  2. energy healing los angeles said on June 15, 2011 at 9:38 pm
    Reply

    I have seen many post like this in my life but this is the best among all of them.I want more post from here like it.Thanks a lot for sharing this post with us.

  3. joon said on January 2, 2011 at 11:18 am
    Reply

    I recently came across your blog and have been reading along. I thought I would leave my first comment. Nice post!

  4. customize computer said on December 31, 2010 at 5:04 pm
    Reply

    thanks for yor information..
    a computer worm is danger

  5. Fit PC said on July 24, 2010 at 1:32 am
    Reply

    This is why it’s so important to keep everything updated.Always check to see if there are problems to fix or unwanted intruders like worms.

  6. eazyshare said on September 18, 2009 at 9:20 pm
    Reply

    thx posting

  7. digitalmind computers said on September 14, 2009 at 6:45 am
    Reply

    Worms are really not good to hear.I hope this problem will be fix and will not happen again.Security must be much higher for the blogs.

  8. Lee said on September 11, 2009 at 5:51 am
    Reply

    I always have problems with computer security. ArrgH! they’re always a pain…

  9. Fery said on September 9, 2009 at 4:54 pm
    Reply

    it happened to me. The intruder created new administrator inside my WP, but it could be deleted, should I update my WP?

  10. Daniel Sydnes said on September 7, 2009 at 7:39 am
    Reply

    WordPress.com hosted blogs are NOT affected.

    Automattic regularly updates their application. Since they control what plugins and themes can be used, their attack surface and regression testing is a constant, known quantity.

    Automattic also uses intrusion protection systems and web application firewalls. This helps them recognize attacks in real-time and dynamically shield against them.

  11. Mithun John Jacob said on September 7, 2009 at 6:52 am
    Reply

    Does this worm affect sites hosted on wordpress.com ?

  12. Daniel Sydnes said on September 7, 2009 at 2:53 am
    Reply

    @Rarst:

    That shouldn’t have happened. Check your file permissions.

    We use shared hosting delivered by Apache virtual hosts and mod_php. We follow the ‘File Permissions’ section in the ‘Hardening WordPress’ article in the WP Codex:

    http://codex.wordpress.org/Hardening_WordPress

    Since we backup both the filesystem and databases nightly, I was able to use ComponentSoftware’s CSDiff to recursively compare directories and MySQL dumps.

    Our damage was limited to changes in the database:

    – ‘users_can_register’ was enabled in wp_options.

    – ‘permalink_structure’ was changed in wp_options.

    – Additional ‘rewrite_rules’ was added in wp_options.

    – New administrator-level user created, with DHTML code in its ‘first_name’ field to hide it in Users admin panel.

    – WordPress Development RSS feed updated to remove security notice about 2.8.4 Security Release.

    To detect which sites were hacked, I searched for ‘/wp-admin//options-permalink.php’ in our server logs. Since these are split up by virtual host, I used mlocate / slocate to find log file locations, then used xargs to feed them to zgrep for pattern matching:

    locate access_log | xargs zgrep -l ‘wp-admin//options-permalink’

    Thanks for the tips regarding PHPIDS, WPIDS, WordPress Firewall Plugin, and .htaccess rules! I tried AskApache Password Protect several months back but couldn’t get it working.

  13. Rarst said on September 6, 2009 at 8:02 pm
    Reply

    Tell me about it… My blog was recently hacked because some other blogger on server hadn’t upgraded in forever and hacker went through him to hacking rest of server. :)

    @Daniel Sydnes

    To be fair 2.8 was major release to break stuff. However 2.8.X releases were security updates with very low probability of interferring with plugins and themes.

    Obviously I do not have insight into your business, but if you provide thorough and extensive maintenance (that is not part of the initial deal) – it makes sense to charge for that.

  14. Daniel Sydnes said on September 6, 2009 at 5:09 pm
    Reply

    Three of our blogs were hit by this worm. While it’s easy to rant about how webmasters should immediately patch web applications, let’s take a moment to reflect…

    Jul 9, 2009 — WP 2.8.1 released which “fixes” privilege escalation issues in the admin pages.

    Jul 20, 2009 — WP 2.8.2 released which fixes XSS vulnerabilities in the admin pages.

    Aug 3, 2009 — WP 2.8.3 Security Release. Additional patches for privilege escalation issues that were missed in 2.8.1.

    Aug 11, 2009 — WP 2.8.4 Security Release. Patch for password reset

    That’s FOUR major security updates in just over a month. Each upgrade requires testing against all active plugins and themes.

    We’re a small web developer shop that hosts ~50 WP sites for some of our clients. We include a set of 25 very common plugins. On average, one of these is updated every 3-4 days.

    WP 2.8 broke 3 plugins (12% of our standard distribution).

    One plugin, WordPress Automatic Upgrade, broke web sites for clients who used it to upgrade from 2.7 to 2.8. We had to manually reinstall WordPress for those early adopters.

    Some plugins, like cformsII and Flutter, are incredibly fragile. One-click upgrade isn’t safe and they must be extensively tested after upgrading EITHER WordPress or the respective plugin.

    So how do you break even on $10/month web hosting? Do you charge extra for WP maintenance? If so, how do you justify extra charges four times in one month?

  15. Rich said on September 6, 2009 at 3:09 pm
    Reply

    Thanks for the heads up about the vulnerability.

    I never update until a patched release is updated i.e. if 2.8 comes out, I wait for 2.8.1 because I don’t want to deal with all the “teething” problems and plugin compatibility issues caused by an immediate upgrade.

    With that said, I completely agree with keeping up to date (at least to “stable” versions.) Each release your installation gets behind adds up more potential problems when you finally get round to updating.

    1. Martin said on September 6, 2009 at 4:21 pm
      Reply

      Rich I usually check the change log to see if it is an important update. I update security, stability and performance updates right away. Other updates (those that add new features for example but don’t fix serious problems) can usually wait a bit longer on some of my sites. I do update my main blogs as soon as possible.

      I ran into some compatibility issues in the past which were caused by the WordPress devs changing some behavior of the blog script and some plugin authors who were to slow to update their plugins. But that’s easily fixable usually.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.